Craig Interpolation for 
Quantifier-Free Presburger Arithmetic* 



Angelo Brillout^, Daniel Kroening^, and Thomas Wahl^ 

^ Computer Systems Institute, ETH Zurich 
^ Computing Laboratory, Oxford University 



Abstract. Craig interpolation has become a versatile algorithmic tool 
for improving software verification. Interpolants can, for instance, accel- 
erate the convergence of fixpoint computations for infinite-state systems. 
They also help improve the refinement of iteratively computed lazy ab- 
stractions. Efficient interpolation procedures have been presented only 
for a few theories. In this paper, we introduce a complete interpolation 
method for the full range of quantifier-free Presburger arithmetic formu- 
las. We propose a novel convex variable projection for integer inequalities 
and a technique to combine them with equalities. The derivation of the 
interpolant has complexity low-degree polynomial in the size of the refu- 
tation proof and is typically fast in practice. 



1 Introduction 

A Craig interpolant, or simply interpolant, for an inconsistent pair of formulas A 
and i? is a formula / that is implied by A, inconsistent with B, and contains only 
variables occurring in both A and B [1]. In other words, a Craig interpolant is 
weaker than A, but still strong enough to be inconsistent with B, and therefore 
provides an "explanation" of the inconsistency in terms of the common variables. 
In his original theorem, Craig showed that an interpolant exists for any two 
inconsistent first-order formulas A and B. 

Craig interpolants have proven to be useful in many areas. McMillan sug- 
gested to use them in an over-approximating image operator [2], which has led 
to a considerable advance in SAT-based model checking. For infinite-state sys- 
tems, interpolants can significantly improve the refinement step in lazy predi- 
cate abstraction [3]. Methods to efficiently compute interpolants are known for 
propositional logic and linear arithmetic over the reals with uninterpreted func- 
tions [4, 5]. For these theories, an interpolant can be derived in linear time from 
a deductive proof of inconsistency of A and B. 

Presburger arithmetic is a popular theory for modeling computer systems, for 
example to describe the behavior of infinite-state programs [6] . It was shown to be 
decidable by quantifier elimination [7], which is, however, of double-exponential 
complexity. Fortunately, formulas arising in system specification and verification 
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are mainly quantifier-free [8,9]. In this paper we therefore focus on quantifier- 
free Preshurger arithmetic (QFP). An interpolant between two inconsistent QFP 
formulas A and B can be computed by existentially quantiiying the variables that 
occur only in A, followed by quantifier elimination. This approach is, however, 
prohibitively expensive. 

Contribution In this paper, we propose an algorithm that extracts an interpolant 
directly from a proof of inconsistency of A and B. Our algorithm extends the 
framework of Pugh's Omega test [10]. We present suitable deduction steps in 
the form of inference rules. Following a suggestion by McMillan [5], the rules are 
augmented with partial interpolants expressions that are transformed step by 
step to yield an interpolant of the initial formulas A and B once a contradiction 
has been reached. We present our algorithm for conjunctions of equalities and 
inequalities; interpolants for an arbitrary Boolean skeleton can be obtained using 
the framework described in [5]. 

For conjunctions of equalities, our algorithm exploits the fact that exact 
variable projection is efficient for certain fragments of QFP. We therefore treat 
equalities separately in the first part of the paper and describe such a projection 
procedure. Our procedure supports stride constraints, i.e., quantified equalities 
expressing divisibility relationships. For conjunctions of inequalities, we show 
that deriving an interpolant requires the strongest convex projection (which 
may be inexact) and give an efficient algorithm for computing this projection. 
Finally, we describe the first interpolation method that combines conjunctions 
of integer equality and inequality constraints. 

Related work For prepositional logic, several interpolation methods have been 
presented [4,2,11]. In addition to the work by McMillan [5], Rybalchenko et 
al. propose an algorithm for linear arithmetic over the reals with uninterpreted 
functions that circumvents the need for an explicit proof [12]. For integer arith- 
metic, McMillan considers the logic of difference-bound constraints [3]. This 
logic, a fragment of QFP, is decidable by reducing it to arithmetic over the re- 
als. Difference-bound constraints arc, however, not sufficient to express many 
typical program constructs, such as integer divisibility [8]. 

For interpolating SMT (satisfiability modulo theory) solvers, which involve 
calls to theory-specific provcrs, combination frameworks have been presented 
in [13,14]. In [15], an SMT solver is used to derive interpolants for rational 
linear arithmetic with uninterpreted functions. In [16], separate interpolation 
procedures for two theories are presented, namely (i) QFP restricted to conjunc- 
tions of integer linear (dis) equalities and (ii) QFP restricted to conjunctions of 
stride constraints. The combination of both fragments with integer linear in- 
equalities is, however, not supported. Our work closes this gap, as it permits 
predicates involving all types of constraints. Such predicates arise naturally for 
instance in inductive invariant discovery, as argued in [16]. 

Outline This paper is organized as follows. Section 2 contains background and 
terminology. In section 3, we present the rules for computing interpolants of in- 
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consistent equality and stride constraints. Section 4 does the same for inequality 
constraints and for combinations of both. In section 5.2, we discuss the time 
complexity of our algorithm. 

2 Preliminaries 

2.1 Craig Interpolants 

Two QFP formulas arc inconsistent if their conjimction is unsatisfiablc. We 
define V{4>) to be the set of variables occurring in a (quantifier- free) formula 
(p. For any two formulas A and B, we write Ca for the set of variables local 
to A, i.e., Ca = V{A) \ V{B). Analogously, wc write Q for the global (common) 
variables of A and B, i.e., G = V{A) n V{B). The quantifier-free formulas A and 
B are equisatisfiable, denoted A = B,if existentially quantifying their respective 
local variables produces two logically equivalent formulas, i.e., 3Ca-A = 3jCb-B. 
Let ± and T represent the Boolean values false and true, respectively. 

Definition 1. A (Craig) Interpolant for two inconsistent quantifier-free formu- 
las {A, B) is a formula I such that: 

(1) A^I, 

(2) {B,I) 1= ±, and 

(3) V{I) c g. 

As an example, let A and B be the (inconsistent) formulas x = y -\- \ /\z = y and 
X = y, respectively. An example of an interpolant / for A and B is x = y -\- 1. 

2.2 Quantifier- free Presburger Arithmetic 

Presburger arithmetic is the first-order theory defined by the structure (Z, =, <, 
-|-}, i.e., quantified linear integer arithmetic with arbitrary Boolean connectives. 
In 1929, M. Presburger presented a quantifier elimination procedure for this 
logic, which gives rise to a decision procedure [7]. 

Wc consider in this paper quantifier-free Presburger arithmetic with stride 
predicates, denoted QFP. Atoms, henceforth called constraints, are of the form 

tcxiO (cx €{=,<}) or d\t (c;eN>2), 

where f is a term of the form ^j^jUjXj + c. We call these atoms equality, 
inequality and stride constraints. 

The stride predicates d \ t specify divisibility properties of a term t, e.g., 2 | x 
denotes that x is even. Wc refer to d as the periodicity of a stride constraint. To 
motivate the need for stride predicates, consider the equalities x — 2y = and 
a; — 2^; — 1 = 0, whose only quantifier-free interpolant is 2 | a; [5]. 

We say that two constraints X/?e j '^i-^i + c M and X^jej ^i-^i + d txi are 
parallel if for every j G J, aj = bj or for every j G J, aj = —bj. A unit coefficient 
is a coefficient aj with \aj \ = 1. 
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QFP formulas are constructed using the usual Boolean connectives. We adopt 
the method in [5] to reduce reasoning over arbitrary Boolean combinations 
of constraints to reasoning over conjunctions. Despite the stipulation of being 
quantifier-free, we permit a restricted form of quantification in QFP, namely over 
finite sets of integers. Formulas containing such quantifications are semantically 
quantifier-free since they can be rewritten using a finite disjunction. 

2.3 Equisatisfiability-Preserving Manipulations 

Tightening of inequalities Let g := gcd{{\aj\ : j e J}) be the greatest 
common divisor of the coefficients in the term t = ^j^j ajXj+cof an inequality 
t < 0. We say the inequality is tight if g divides c. Every inequality can be 
transformed into an equivalent tight form by replacing c with g\^~\- We refer 
to T(/) as the tight form of an inequality /. (Note that an equality constraint 
t = is unsatisfiable if g does not divide c.) 

Homogenization Let Q{x) be a formula over x. We homogenize Q{x) by com- 
puting an equisatisfiable formula F{a) over a new variable a (but without x) 
such that all coefficients of a are unit coefficients. This is achieved as follows: 

1. Compute the least common multiple I := icTO{|a| : a is a coefficient of x in 
some constraint}. 

2. Multiply each constraint over a term containing a multiple aa; of a; by 

for a stride constraint d \ t this means to multiply both d and thy j^. The 
result is a formula Q'{x) equivalent to Q{x) where all coefficients of x are 
either I or —I. 

3. Replace every occurrence of Ix in Q'{x?) with a new variable <j and conjoin 
the result with the new constraint I \ a. 

The obtained formula F(a) and the original Q{x) are equisatisfiable, with a 
having unit coefficients everywhere, as shown by Cooper [17]. A formula is called 
<j -homogenized if all occurrences of a have unit coefficients. 

Exact projection We define a projection method that is based on [17]; our 
method is simpler since it assumes an a;- homogenized conjunction Q{x) of con- 
straints containing at most one inequality. Exact projection amounts to eliminat- 
ing x from Q{x), resulting in an equisatisfiable formula. We distinguish two cases: 

— If there is at least one equality containing x in Q(x), let eq be any such 
equality. Since every occurrence of x has a unit coefficient, eq can be rewritten 
ds X = t. Now obtain a new, equisatisfiable formula Q'{t) by dropping the 
conjunct eq from Q{x) and replacing xhy t everywhere else. 

— Otherwise, let I := lcm{d : d is a periodicity of some stride constraint con- 
taining x}. Remove any inequality over x from Q{x) resulting in a Q'{x). 
Eliminate x by replacing Q'{x) with 3i £ {0, . . . , l}.Q'{i). The result is equi- 
satisfiable to Q{x). 
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We denote by proj{Q{x),x) a procedure that first a;-homogenizes Q{x) and 
then returns an cquisatisfiablc formula by exact projection. We extend tliis pro- 
cedure to act on a formula Q and a set of variables V, denoted proj{Q, V), by 
applying proj to {Q{x),x) for all x gV in any order. 

3 Equality and Stride Constraints 

In this section, we present an algorithm for deriving an interpolant for two incon- 
sistent formulas A and B that are conjunctions of stride and equality constraints. 
The algorithm is based on an elimination procedure for equality and stride con- 
straints (section 3.1). The procedure is refined in section 3.2 by annotating its 
steps with partial interpolants. 

3.1 Eliminating Equality and Stride Constraints 

We use an algorithm proposed by Pugh [10] for eliminating the equalities from 
the system of constraints. For this purpose, we need a slightly modified "cen- 
tered" modulus function mod, defined as a mod b := a—b [f +5J ■ We write t mod b 
to denote ^ j(ai mod -I- (cmod6) for a term t of the form '^i^jCiiXi + c. 
This follows from distributivity of mod. 

The elimination algorithm first replaces each stride constraint d \ t hy the 
equisatisfiable equality da + t = 0, where cr is a fresh variable. What remains is 
a system of equalities. Consider the following equality involving variable x: 



If X has a unit coefficient, we can eliminate the equality by deleting it from the 

system and replacing every occurrence of x by —at. Otherwise, by applying the 
mod operator to both sides of equality (1) and introducing a fresh variable a, 
we obtain the new constraint 



where to = |a| + 1. Since amodTO = —sign(a), variable x in (2) has a unit coef- 
ficient. Thus, we can eliminate x in (1) and in all other constraints involving x. 
As shown in [10], the absolute values of the coefficients in the new equality re- 
sulting from (1) have decreased, eventually resulting in an eqiiality with a unit 
coefficient. This equality can be eliminated without applying the mod operator. 

We call the original constraint (1), which is used to derive a constraint with 
a unit coefficient, the pivot equality, denoted erjp. Let be a conjimction of 
equalities. We denote by elim{4i) the procedure that eliminates all equalities in 
<j) using pivot equalities eqp chosen according to some heuristics - we refer the 
reader to [10] for such a heuristic. Note that each elimination of an equality 
leaves the remaining system equisatisfiable to the original one. Therefore, if the 
procedure ever encounters an unsatisfiable equality, it immediately returns _L, 



ax + t = Q. 



(1) 




(2) 
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indicating inconsistency of the original constraints. Otherwise, the original sys- 
tem is eventually reduced to an equality of the form c = c for some constant c; 
the procedure returns T. Note that, since we assume A and B to be inconsis- 
tent, elim never returns T unless we consider combinations of equalities and 
inequalities and the inconsistency is due to the inequalities (section 5). 



3.2 Interpolation for Equality and Stride Constraints 

The first part of our contribution follows. We introduce rules in order to derive 
an interpolant from a proof of inconsistency of the linear equality formulas A 
and B. To do so, we borrow the notion of a partial interpolant from [5]. 

Definition 2. A partial equality interpolant for {A, B) is a conjunction of linear 
equalities (j)^ such that: 

(1) A\= 0^, and 

(2) {B, (f>^) 1= ^, and 

(3) if (f) contains an unsatisfiable equality, then V(^^) C Q. 

where A, B and (j) are conjunctions of equalities. We write {A, B)\- (j) [(j)^] if we 
can derive the partial interpolant cj)^ from {A, B). 

Observe that if </) = _L, definitions 1 and 2 coincide, with (p^ as the interpolant. 

Consider now a proof of inconsistency of the two conjunctions A and B of 
equalities. The proof consists of a sequence of proof rule applications. We extend 
these rules to apply to partial intcrpolants that arc attached to antecedent and 
consequent of the rules. The partial interpolants are transformed to eventually 
result in an interpolant for {A, B). We first present a rule to introduce hypotheses 
and the corresponding partial interpolant for {A, B) in the proof tree. 

HypEq 



B) h A A B \A] 

The partial interpolant is simply A. Note that HypEq introduces all equali- 
ties simultaneously. The soundness proof for this rule, showing that the derived 
partial equality interpolant conforms to the three conditions of definition 2, is 
straightforward. 

The next rule eliminates the equality constraints as mentioned in section 3.1. 
The rule results in a partial interpolant where A is projected by elimination of 
the variables local to A: 

{A,B)V- AaB [A] 
ElimEq- ' ^ ^ 



{A,B) \- elim{AAB) \proj{A,CA)] 



If function elim{A A B) returns _L, the (final) interpolant is proj{A, Ca)- Note 
that, in this interpolant, every variable local to A has been eliminated by proj 
and that no new variable has been introduced. 
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Soundness (of ElimEq). To show the soundness of the rule, we argue that the 
rule preserves the three conditions of definition 2. Regarding tlie first condi- 
tion, the fact that A \= proj {A, £a) follows immediately from the soundness of 
Cooper's projection procedure. Since ^A-B = BAproj{A,£A) = elim{AAB), we 
know that {B, proj {A, C a)) \= elim{A A B). This shows condition 2. The proj 
procedure eliminates every local variable to A and thus V{proj{A,CA)) Q Q- 
This shows condition 3. □ 

Example 1. We would like to find an interpolant for A = (Q \ — 2y — 2) and 
B = (6a; — y = 0). Using the HypEq rule, we introduce both constraints and 
the partial interpolant. We apply the ElimEq rule to the result: 

{A,B)\-6a + 3z-2y-2 = 0/\6x-y = 0[6\3z-2y-2] 
^™ ^{A,B) h 6(7- f2.T- 2 [3i e {0 . . . 6}. (6 | i - 2y - 2) A (3 | i)] 

We eliminate y by applying elim, since y has a unit coefficient in 6.t — y ~ 0. 
However, the substitution of 6x for y produces a contradiction since gcd{6, 12) 
does not divide 2. We project the partial interpolant by eliminating the only local 
variable z G Ca- To do so, proj z-homogenizes the partial interpolant, resulting 
in (6 I cr — 2?/ — 2) A (3 I (j) and finally in the interpolant 3i € {0, . . . , 6}. (6 | 
i - 2y - 2) A (3 I i). □ 



4 Inequality Constraints 

This section presents a method for deriving an interpolant for two inconsis- 
tent formulas A and B that are conjunctions of inequalities. We first review 
the variable elimination procedure used in the Omega test (Section 4.1). We 
then introduce the notion of strongest convex projection (Section 4.2), which is 
necessary to refine the procedure with partial interpolants (Section 4.3). 



4.1 Fourier- Motzkin variable elimination for QFP 

W. Pugh adapted the Fourier- Motzkin (FM) variable elimination method to 
QFP [10]. This section briefly reviews this method. In the following, ti and 
t2 are two terms not containing the variable x, and a, b are positive integers. 
Consider the two inequalities 

ax + ti < and -bx + t2<0 ■ (3) 

These inequalities are upper (left constraint) and lower (right constraint) bounds 
on x. Equivalently, we get 

at2 < abx < -bti (4) 

by multiplying the upper and lower bounds by b and a, respectively. The FM 
method eliminates variable x by deducing the following inequality from (4): 

T{at2 + bti < 0) (5) 
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where T{at2 + bti < 0) denotes the tight form of at2 + bti < 0. Inequality (5) is 
a projection of (4) that eUminates x. Note that (4) implies (5), but not generally 
vice versa: the two are not equisatisfiable. We therefore speak of an inexact 
projection. If the distance between the upper and the lower bound is less than 
ab, there may or may not be a solution to the following equation: 

T{-ab + 1 < ai2 + bti < 0) . (6) 

Note that in (6), the strict inequality —ab < at2 + bti has been replaced by the 
equivalent inequality —ab+ 1 < a<2 + bti. In geometrical terms, (6) describes 
the "thin" part of the polyhedron (4). If no inconsistency is found by (inexact) 
projection of all inequalities, i.e., only inequalities of the form —p < 0, p S N>i 
remain, one must check for solutions in this "thin" part. 

For this purpose, Pugh introduced splinters. Given are the bounds (3) leading 
to inexact projection. An equality —bx + ^2 + i = is added to the original set 
of inequalities. This equality is eliminated as explained in section 3.1 and the 
FM algorithm is called recursively. This is done for each i £ {0, . . . , s} where 
s = l{\nb\ — \n\ — b)/\n\\ and n is the negative coefficient of x with the largest 
absolute value in any inequality. If all splinters of all inexact projections produce 
an inconsistency, then the original system of inequalities is unsatisfiable. We refer 
the reader to [10] for further details. 

4.2 Strongest Convex Projection 

Consider the case that an inconsistency is reached without the need for splinters, 
i.e., inexact projection is sufficient to show inconsistency of {A,B). Since the 
inexact projection (5), being a single inequality, describes a convex region, there 
is also a convex interpolant. In order to compute it, we introduce the notion of 
strongest convex projection, i.e., the strongest projection expressible with one 
inequality. Formally, we introduce: 

Definition 3. For lower and upper bounds ax + ti < and —bx + t2 < 0, let 
t' <0 be the tight form of at2 + bti < 0, and let m>0. Inequality t' + m <0 is 
the strongest convex projection of these bounds if there is no integer i such that: 

{at2 < abx < -bti) |= (i' + i < 0) |= (i' + m < 0) . 

We now present a new method to compute the strongest convex projection 
of a lower and an upper bound; see algorithm 1. The boimds arc converted into 
the inequality —ab + 1 < at2 + bti < 0. Tightening this inequality results in a 
constraint of the form — c' < < 0, which can equivalently be expressed as the 
quantifier-free formula Eli £ c', . . . , 0}.t' = i. This is our pivot equality (line 1). 
This equality, conjoined with the lower and upper bounds, can be checked for 
satisfiability, thus revealing which integers i are feasible in the "thin" part of the 
polyhedron (4). We perform this check in line 2 using an elimination procedure 
modified from section 3.1: we find an equality with a unit coefficient, rewrite it 
into the form y = ty and replace every occurrence of y in the inequality and in 
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eqp by ty. This is repeated until the pivot equality eqp is reduced to T, resulting 
in the bounds of the form as given by /i and /2 in line 2. Note that the constants 
c and d depend on i. 



Algorithm 1 Strongest convex projection 

Input: lower bound ax + ti < 0, upper bound —bx + < 

Output: strongest convex projection of these bounds 

1: let eqp = (3z G {-c', ...,Q}.t' =i) // tight form of -ab + 1 < at2 + bti < 

2: let /i = {t'l + c{i) < 0) and /2 = {t'2 + d{i) < 0) be the tight inequalities resulting 
from reducing eqp to T 

3: if t'l = t'2 or /i and /2 are not parallel then 

4: return t' <0 

5: else // t'l = -t'2 

6: let A = {i : -c' < i < A c{i) + d{i) < 0} 

7: if ^ 7^ then 

8: return t' - (min ^) < 

9: else 

10: return t' -c' + 1<0 



We demonstrate some aspects of algorithm 1 with the following example. 
Example 2. Suppose the following bounds are given: 

a; + 3j/-2<0Aa;-3j/ + l<0. (7) 

In line 1, the algorithm tightens the "thin" part of the projection which is — 8 < 
6.x — 3 < 0. The result is Qx = 0, i.e., here c' = and i = 0. In line 2, this 
equality is substituted into (7); tightening produces two inequalities 3y < and 
—3y + 3 < 0. These are parallel with unequal terms (case t[ = —t'2, line 5). Since 
^ = 0, the strongest convex projection 6a; + 1 < is returned in line 10. □ 

In the following section, wc continue example 2 and demonstrate why the no- 
tion of strongest convex projection is necessary for deriving partial interpolants. 

4.3 Interpolation for Inequality Constraints 

The notion of partial interpolants for inequalities is defined as follows. 

Definition 4. A partial inequality interpolant for {A, B) is an inequality t^ <0 
such that: 

(1) A^t^<0, 

(2) B ^t-t^ <0, and 

(3) Vit"^ < 0) C V{A) and V{t - t^) C V{B). 

where A, B are conjunctions of inequalities and t, t^ terms. We write {A, B) h 
t <Q\t^ <Q] if we can derive the partial interpolant t"^ <Q from {A, B) . 
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Observe that if Hs a positive constant, t — t^<Oisa. contradiction and <0 
is an interpolant for {A, B) . 

We now present rules that implement the FM elimination procedure for QFP. 
As with equalities, these rules also compute partial interpolants that preserve 
the properties of definition 4. When introducing a hypothesis in the proof, the 
partial interpolant depends on the origin of the hypotheses: 

HypIn— — — < 0) e {A,B) 

where XA{t < 0) is defined to be i < if i < G ^ and < otherwise. 

The next rule projects inequalities. When combing two inequalities to achieve 
projection, the same linear combination is applied to the partial interpolants. 

{A, B)V- ax + ti<Q [t^ < 0] 
{A, B) h -hx + t2<Q [t^ < 0] 
{A, B) h T{at2 + hh < 0) [T(ai^ + htt + m< 0)] ^ 

where m is a constant such that if inexact projection occurs, T(t2 +ti +m < 0) 
is the strongest convex projection, and otherwise m = 0. 

Soundness (of Proj). We check if the conditions of definition 4 are preserved. 
Condition 1 is straightforward. From the premises, wc know that B \= ax + ti — 
<0 and B \= -bx + t2-t^ <0 and thus B ^ {at2 + bti) - (at^ + bt^) < 
0, which is convex. Tightening a constraint only increases the constant c of 
the corresponding inequality and since the projection (if any) of the partial 
interpolant is the strongest, we conclude B \= T{at2 +bt\) — T(af^ + bt^ + m). 
This proves condition 2. The fact that T does not change the coefficients in a 
constraint emphasizes the similarity with the linear arithmetic method described 
in [5]. As in this work, projection by eliminating a variable x also eliminates x 
in the partial interpolant. Since every variable has to be eliminated to obtain 
an inconsistency, the interpolant does not contain any local variable. This shows 
condition 3. □ 

Example 3. We show how to derive an interpolant for A = a;+3y— 2 < OAx— 3y+ 
1 < and B = -X < 0. We write i < [f^ < 0] instead of (A, h t < [f^ < 0] 
and we do not show how to introduce hypotheses to save space. First, we project 
the two inequalities from A by eliminating x: 

-a; < [0 < 0] -x < [0 < 0] 

a; + 3t/ - 2 < .X + 3y - 2 < 0] a; - 32/ + 1 < b - 3y + 1 < 0] 

Pj^qj Pr,oj 

3y<0[x + 3y-2<0] -3y + 1 < [a; - 3y + 1 < 0] 

We can now derive a contradiction by eliminating y: 



Proj 



3y < [x + 3y + 1 < 0] 
-3y + 1 < [x - 3y - 2 < 0] 

3 < [6a; + 1 < 0] 
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Note that the interpolant 6x + 1 < is the strongest convex projection of 
x + 3y + l < and x — 3;t/ — 2 < 0, which was computed in the example at the end 
of section 4.2. Observe that the standard projection of the partial interpolant 
according to equation (5) is 6x < 0, which does not interpolate {A, B). □ 



Splinters If the FM procedure for QFP introduces splinters as described in 
section 4.1, the Omega test is called recursively for each splinter. More precisely, 
in case of an inexact projection when applying the Proj rule, the interpolation 
algorithm is called upon each pair (^4, B)i and {A, B)>s+i defined as (AAt^+i = 
0, B A ^2 - ft = 0) and (A A + s + 1 < 0, B A ^2 - < 0), respectively 

If all splinters produce an inconsistency, i.e., all pairs {A, B)i and {A, B)>s+i 
are inconsistent, the original system is unsatisfiable. We can construct an inter- 
polant for {A, B) from the respective interpolants /, and />s+i for {A, B)i and 
(^,i?)>s+i as follows: 

(A,B)>,+i h ± [/>,+i] 

SrLiN ^^'^^^ for aU i e {0, . . . , s} 

{A,B) h± [V| JiVJ>,+i] 



Soundness (of SPLiNj. We show that the derived interpolant conforms to def- 
inition 1. We denote by Aj, Bi, A>s+i and i?>s+i the respective components 
of the pairs {A,B)i and (A, B)>s+i. Condition 1 follows from Ai \= li and 
yfAi V ^>s+i = A follows condition 1, i.e., A ^ ViAi V A>s+i- Condition 2 fol- 
lows from the unsatisfiability of V|AjAi?iA^>s+iAi?>s+i and ViBiVB^s+i = B. 
Finally, since V{Ai) = V{A) and V{A>s+i) = V{A) condition 3 also holds. 



Example 4- In example 3 we first eliminate x and then y by using Proj. Note 
that if we reverse this order, no inconsistency is reached by using Proj only. 
This is due to the inexact projection of x + 3j/ — 2 < and x — 3y + 1 < by 
elimination of y. In this case, the number of splinters that must be derived is 
given by s = (3*3-3 - 3)/3 = 1. 

The Omega test is then called recursively for each pair {A,B)i, i £ {0,1} 
and {A,B)>2 given hy {AAx - 3y+l + i = 0, B) a,nd (AAx -3y+l + 3 < 0, B), 
respectively. The pairs {A, B)i contain both inequalities and equalities. In the 
next section, we show how to derive an interpolant for {A, B)i. Once each pair 
{A,B)i and {A,B)>2 has been proved inconsistent, we combine their respective 
interpolants with the Splin rule: 

{A,B)a h _L [23; < A 3 I (x -M)] 
Ia,B)i h _L [2a; < A3 I (a;-h2)] 

gp^^^ (A,B)>2 h± [6a; + l<0] 

{A, B) h _L [(6a; + 1 < 0) V (2x < A 3 | x + 2) V (2x < A 3 [ a; + 1)] 

Note that the result is indeed an interpolant for {A, B). □ 
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5 Putting it all together 



5.1 Combining equality and stride constraints with inequalities 

We now turn to the most challenging part of this work, namely deriving an inter- 
polant for two inconsistent formulas A and B that are conjunctions of equality, 
inequality and stride constraints. In this section, we denote by Ea and Eb the 
conjunction of equality and stride constraints of A and B, respectively. In order 
to detect any inconsistency, the Omega test begins by eliminating stride and 
equality constraints from the system, i.e., the HypEq and ElimEq rules are 
applied to the pair {Ea,Eb)- We distinguish two cases: 

(i) Suppose an unsatisfiable equality was found during the elimination. In this 

case, Ei :~ proj{EA, C{Ea)) is an intcrpolant for (EatEb)- From the va- 
lidity of A \= Ea, B \= Eb and C{Ea) C C{A), it follows that Ei also an 
interpolant for {A, B). That is, we derive an interpolant for [A, B) using the 
HypEq and ElimEq rules only, without considering the inequalities at all. 

(ii) Otherwise, all equality and stride constraints are successfully eliminated. In 
this case, for each x = tu derived with the mod operator, the Omega test 
replaces each occiirrence of x in every constraint of A and B, not only in 
the equalities. Eventually, a new pair {A',B') consisting only of inequalities 
remains. The formula A' A B' is then equisatisifibale to A A B. 

To formalize the second case, we denote by (plx ^ tu} the result of substituting 
the term tu for every occurrence of variable x in (j). By (p{x <— tu} we denote 
the sequence of substitutions performed, in this order, during the equality elim- 
ination process. The formulas A' and B' are then given by A{x <— tu} and 
B{x <— tu}, respectively. 

We can now derive new partial interpolants for (A',B') using the HypIn, 
Proj and Splin rules, with A' and B' in place of A and B. Once a contradiction 
is reached, the obtained interpolant will be valid for {A', B'), but not for {A, B). 
More precisely, since the terms tu may contain new variables, the generated 
interpolant may also contain a variable not occurring in [A, B). The problem is 
to map an interpolant for {A' ,B') to an interpolant for {A,B). 

We address this problem as follows. Let t^ < be an interpolant for (A', B'). 
We show below how to compute a partial interpolant t^ < Q for {A,B) such 
that t"^ = t^{x <— tu}- We then demonstrate that proj {t^<OAEA,CA) is an 
interpolant for {A,B). This is formalized using the following rule: 

COUP i^'^B')^±[t^'<0] t^'=t^{x^tu}, 

{A,B)^ ±\proj{t^ <OAEa,Ca)] {A,B) h t < 0[t^ < 0] 

The partial interpolant t^ <0 that is needed to apply this rule is computed by 

"postponing" the substitutions. That is, after applying the Proj rule, the partial 
interpolant is kept in the form ati+bt2{x ^ tu} < instead ofati{x ^ tu} + 
bti{x ^ tu} < 0. 
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Soundness (of Comb). We show that the derived interpolant satisfies defini- 
tion 1. First, we observe that applying a substitution before a projection is 
equivalent to applying it after the projection, i.e., ati{x <— tu} + bt2{x <— t„} < 
= ati + bt2{x <— tu} < 0, where the substitutions are naturally extended to 
terms. Thus, there is no immediate need to apply the substitutions {x <— t„} 
before projecting using the Proj rule. More precisely, we can always derive a 
partial interpolant such that iA',B') h t < 0{x ^ t}[t^ < 0{x ^ t}]. Subse- 
quently, we know that <^ < and t < are linear combinations of inequalities 
in A and that, if projection occurs, < is the strongest convex projection. 
Thus, < is a partial interpolant for {A, B). 

If an inconsistency is reached, we have derived a partial interpolant for (A, B) 
such that t{x <— t} = c for some positive constant c. Since < is a partial 
interpolant we conclude A \= proj{t^ < A Ea), which proves condition 1. 
To prove condition 2, we first note that B A proj{t^ < A Ea) and {B At^ < 
QAEa){x <— t} are equisatisifiable. We know B \= t — t^ < and, thus, conclude 
{B At < A Ea){x <— t}. This contradicts t{x <— t} = c, proving condition 2. 
Condition 3 follows since proj eliminates all variables local to A. □ 

Exam,ple 5. Consider the pair (^4, B)i given by (A A .x — 3y + 2 = 0, B), where 
A and B are from example 3. There is only one equality to eliminate. Since it 
has a unit coefficient, the only substitution is {x <— {3y — 2)}. The two partial 
interpolants resulting in an inconsistency are: 

(A, S)i h 62/ < [ a; - 3?y + 1 < {x ^ (3y - 2)}] 
h -32/ + 2 <0 [ 0<0{.T^(3y-2)}] 



Proj 



(A,B)ih ± [x-3j/ + l<0{x^(3y-2)}] 



Note that the subsitutions were not applied to the partial interpolant in order 
to determine the final interpolant with the CoMB rule: 

iA,B)ih ±[x-3y + l<0{x^{3y-2)}] 

COMB ^ — 

{A,B)i I- _L [2a; < 0A3 I (a; + 2)] 

The resulting interpolant has been obtained by applying proj to a; — 3j/ -|- 1 < 
0Ax-3y + 2 = 0. □ 



Summary Fig. 1 shows the Omega test extended by our deduction rules in 
order to construct (partial) interpolants. Since the Omega test is complete for 
conjunctions of equalities, inequalities and stride constraints and we provide a 
deduction rule for each of its steps, the extended algorithm is complete as well. 

In practice, we decouple the search for an inconsistency from the computation 
of an interpolant. That is, our implementation of Omega-Interpolate takes 
A, B and an inconsistency proof as input and annotates this proof with partial 
interpolants. This allows many optimizations. Substitutions are not performed 
if all equalities encountered during step ® are satisfiable, and no partial inter- 
polant will be computed for projections that do not lead to an inconsistency. 
Throughout the algorithm, arithmetic normalizations, such as replacing 3y < 
by y < 0, prevent the coefficients from growing unnecessarily. 
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Omega-Interpolate {A, B) 



(D Introduce equalities and stride constraints from {A, B) using HypEq. 
While eliminating equalities and stride constraints using ElimEq: 

• If unsatisfiable constraint found: return "UNSAT" + interpolant generated 
by ElimEq. 

If (A, B) has no inequalities: return "SAT" . 

(D Introduce inequalities from {A,B), with substitutions applied, using HypIn. 
While projecting all inequalities using Proj: 

• If unsatisfiable constraint found: return "UNSAT" + interpolant generated 
by Comb. 

If inexact projection occurred: 

• Recursively call Omega-Interpolate for each pair (A\B')i and 

K,S')>.+i. »e {0,---,s} ■ 

• If every pair is "UNSAT" , compute the interpolant for {A', B') using Splin 
and return "UNSAT" + interpolant for {A, B) using COMB. 

Otherwise: return "SAT" . 



Fig. 1. The Omega- Test with Interpolation 
5.2 Time Complexity 

We discuss the worst-case time complexity of our interpolation algorithm. Let a 
be the maximum absolute value of any coefficient and any periodicity occurring 
in the partial interpolants across the entire proof. In the original set of con- 
straints, let w denote the maximum number of variables per constraint in A and 
e the number of equality and stride constraints in A. The cost of eliminating one 
variable x using proj is 0{e{'w + log^ a)). Let v be the number of local variables 
that occur in equalities. Procedure proj is applied v times in order to eliminate 
all local variables. In the worst case, the number of constraints e increases by one 
after each projection due to homogenization. In case of an inconsistency in the 
equalities, the worst-case time complexity of deriving an interpolant is therefore 
0{{w + \og^ a){ve + v"^)). 

For inequalities, the Proj rule, including computing the strongest convex 
projection, has a complexity of 0{w log a). If Proj is applied p times, the overall 
interpolation complexity is therefore 0{p'w\oga -\- {w + a){ve + v'^)). We 
observed the run-time to be much smaller in practice, owing to many unit or 
small coefficients in the original pair (A, B) (also confirmed by [8]). 

6 Conclusion 

We have presented an interpolation method for quantifier-free Presburger arith- 
metic (QFP). Our method first eliminates equalities and stride constraints from 
the system and then projects inequalities using an extension of the Fourier- 
Motzkin variable elimination. These steps are formalized as proof rules that, as 
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a side effect, transform partial interpolants to full interpolants for the given sys- 
tem of constraints. Our method is the first to enable efficient interpolation for 
quantifier-free linear integer arithmetic. In contrast to previous work, it permits 
combinations of equalities, inequalities and divisibility properties. 

The results presented in this paper are expected to improve model checking 
based on counterexample-guided abstraction refinement (CEGAR). As shown in 
[16] , program verification often requires computing inductive invariants involving 
constraints over integers. If a candidate invariant fails, interpolation can aid the 
discovery of new candidates. Our work permits the computation of interpolants 
for formulas given as combinations of the above-mentioned constraints. 

A preliminary implementation of our algorithm shows that for QFP formulas 
occurring in practice, the run-time of the algorithm is much better than the 
estimated worst-case performance. We contribute this efficiency to small variable 
coefficients and a small number of variables per constraint. 
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